Default Windows Processes

Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.
When searching for malicious processes, look for any of these anomalous characteristics:
    • Started with the wrong parent process
    • Image executable is located in the wrong path
    • Misspelled processes
    • Processes that are running under the wrong account (incorrect SID)
    • Processes with unusual start times (i.e., starts minutes or hours after boot when it should be within seconds of boot)
    • Unusual command-line arguments
    • Packed executables

Process view on a Windows 10 machine